I understand the concept of passkey use – a digital cert stored on and bound to the local device, accessed via biometrics, screen lock, or some other locally-defined token. I also understand how, once created, passkeys are stronger than passwords since they are not prone to replay attacks from other devices.
What I don’t understand is the security around passkey creation itself. Doesn’t that involve your password? So how is the security of the resulting system of passkeys stronger than the password used when creating the passkey? Why can’t an attacker, knowing your password, just create a new passkey on a new device to access your account?
